First of all, hello Although I am new to posting in these forums, I have been reading through them for some time now and have found the information very helpful. I did do a search prior to adding my topic but got 0 results so apologies if that is not the case and the question has already been raised.

I have recently moved to a new company and am in the process of evaluating the current Change Management process. One of the area's we seem to be struggling with is the management of security updates. Currently we have a 4 week roll out of a security patch, an RFC is required at each stage. (week 1 is pilot users, 30 pcs around the firm globally. week 2 is test, an additional 30 pcs. week 3, 40% of the firm, week 4, the remaining 60%). Each update is put through as a separate RFC which can result in 10+ security updates for review on a weekly basis.

My main question here I suppose is, how do other firms handle such requests for security patching? There has been discussion about raising them as a pre-authorised RFC, something that I disagree with as although it is a repetitive piece of patching work the patches differ and also, we experience a number of issues the following morning with various things not working as a result of the previous nights patching work.

Here is what we're doing:
1) Verify this in a testing environment with proper version installed on servers.
2) If all goes well, then we directly push this to client by using some automated tools.

So next time when people's laptops, desktops or servers connect to the company network, the patches would be installed automatically.

This is a kind of regular maintenance for servers and we know it would be done every month. So what we need to do is:
1) Setup the maintenance window for this, e.g. Day 24 every month.
2) Raise the RFC and get approval from CAB by showing the testing result.
3) Do the changes by automated tools._________________Luo, Tian-Hong (Ken)
Regional Operation Lead

BTW, your pain point is not related to process, instead it is about the testing. If the testing is not done correctly, process won't help you._________________Luo, Tian-Hong (Ken)
Regional Operation Lead

Thank you for your reply. Yes, I missed that bit didn't I, it is the Microsoft patches. I agree when you mention that its the testing of the patching rather then the process. Unfortunately we do not have a test LAN/environment so have to reply on weeks 1 & 2 to flush out any issues!

Its not great. Far from ideal and unfortunately people seem to think its a change process issue rather then a testing issue!

You need to have a sandbox & other envs to test the patches from microsoft In addition, what you should have is your own windows update server that pushes the patches from your server not the public microsoft server

The process in a nutshell should be like this

patch comes out
you deploy to sandbox. this is to determine if the patch blows up a standard desktop, laptop or server that you have
Note: If you dont have these.. set them as the first priority
once done in sandbox... for the server patches, you deploy to dev, st, sit and then production - especially if your system applications are customized. you would test the general functionality - the support teams should do this
for the laptops, desktops, - set the machines in clusters - IT Team (test subjects), Senior mgmt, mid mgmt, flunkies, payroll, service desk, help desk etc
deploy the tested patches to a sample group

meanwhile work with change and release mgmt team to get the above process approved as a continual cycle of changes/release hence not needing to request every period.

Once this is in place and has worked several cycles, you should report back to the C/R every period on the success / failures

In addition, you should report to the various support teams about the patches that go to a server for them to analysis as well_________________John Hardesty
ITSM Manager's Certificate (Red Badge)

Thank you for taking the time to reply to my post. A sandbox.....if only we were that fortunate! We do not have a test or dev network which I agree is an area for concern. If we did have one, it would have stopped the chaos I walked into this morning when an update went out causing a massive issue